Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Authenticating Users?

2 views

Skip to first unread message

Francis Davidson

unread,

Oct 19, 2000, 3:00:00 AM10/19/00

Ok here's the issue?

I need to write a plugin to authenticate users- I'll explain the current

process.

The server is setup to use ACL Files, in particular there is a cgi
script that
a user must authenticate in order to gain access. The access method
being used is
"basic simple method". The login/password screen pops up when the link
to the cgi
is clicked- the user enters login/password at the prompt.
From my understanding the user/password is authenticated against an ldap

database of
users (Directory Server is Also being run).

The Goal- I want to write my own authentication method which does not
use the ldap database of users. I want the plugin to take over after the

user/
password is entered. Get this information and check it by a method
I've defined, I explain later in this post- it involves no database
binding by the server. What I don't understand is what api must be used,

the acl api, the nsapi
in order to write an SAF, or the slapi for ldap binding.

My first attempt to solving this problem involved using slapi, in order

to do, a preoperation bind to the ldap database. Actually, my solution
never involves actually accessing the ldap database of users, I already
know which users should have access based on their login and passwords.
What I try to do, if the login/password combo exists on our sybase
database (using dblib), then I return that the user is valid.

Basically Here's my SOLUTION
1) Get the Login/Password Info from the prompt determined from our ACL's

authenticate instruction
2) Check to see if this Login/Password exists on the Sybase Database,
I've already written this section
of code, with DBlib, and know it works, I just need to integrate it
into the plugin, I don't want to do
a database bind, via nsapi or slapi, I don't even know which bind is

neccessary to control this
authentication
3) If the user is valid, give access, to the file

Here are my other questions?

How should I be writing this plugin? I don't understand exactly whats
going on once the user enters the login/password. The Manual says by
default unless you specify a different database the user is
authenticated via our ldap database of users. Does the user have to
authenticate in order to access the ldap user database, and then once
it's binded to the ldap user database, it's authenticated to allow
access to the file (in particular our cgi)? I'm trying to avoid the
database, I don't want to bind to the ldap database or any other, I just

want to do whats described in my solution.

Also, silly question for slapi plugins you register the plugin in the
slapd.conf file, we don't have one those
files on our server, I know how to write the file, but what directory to

put it in?

We are using Enterprise Server and Directory Server, both versions 3.51

So any clues as to how I should implement my solution? Cause the
implementation's I've implemented with slapi, and nsapi (SAF) aren't
working, and I've gathered that's because I don't quite understand the
authentication process for basic auth method defined in ACL?

Thanks for Help, Sorry To Make it so long, just wanted to give all info

Francis Davidson
francis_...@bscc.com
frda...@students.morehouse.edu

Note: I'm not try to authenticate to the whole server, just files on the

server

Mark Wilcox

unread,

Oct 20, 2000, 3:00:00 AM10/20/00

to Francis Davidson

What you have is a mess. You say you want to authenticate users, but you
don't want to look them up in a database. Then why the hell don't you just
put them in .nsconfig flatfile and be done with it?

And if you don't know how authentication works, then that's probably the
*wrong* time to attempt to rewrite it :). First learn how it works and then
determine if you actually need to write your own plugin. You may need to,
but you may not.

The way default authentication works is this:

1) the server checks to see if there is an ACL that restricts access to
specific users (this could be any authenticated users OR a specific subset
of users, typically referred to as a group). This ACL can be contained in
the master ACL file or in .nsconfig files if you allow .nsconfig files on
your server.
2) it prompts the browser for username and password
3) password is checked against a password database (either UNIX password
file, NCSA htpasswd type files or an LDAP server)
4) does user match group (again either NCSA password files or LDAP)

From what I gather from your message, you have users in a seperate RDBMS
that you want to use for authentication (not exactly sure why you don't use
LDAP for authentication since *that's* a standard, but anyway) and
authorization control.

Thus you'd probably want to write your own authentication plugin for NES
that can lookup users in that database.

Unless you know of some magical way of looking up users in a database
without connecting to it, I'm not exactly sure how you can lookup users
without binding to that database. :)

I've also written my own custom Perl program to do this so that I can get
more control over the LDAP authentication, using the nsapi_perl module.

If you're going to be doing a lot of NES NSAPI programming check out the
book "Programming Applications for the Netscape Servers".

Mark

0 new messages